nix: boostrap "v2" tree (#3740)

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2025-08-03 12:36:09 -04:00 · 2025-04-04 10:22:28 +02:00 · 2025-04-04 10:22:28 +02:00 · e5d22ebcaf
commit e5d22ebcaf
parent 0926b82a65
9 changed files with 119 additions and 25 deletions
--- a/flake.lock
+++ b/flake.lock
@ -18,13 +18,13 @@
        "type": "github"
      }
    },
-    "nixpkgsUnstable": {
+    "nixpkgs": {
      "locked": {
-        "lastModified": 1733376361,
-        "narHash": "sha256-aLJxoTDDSqB+/3orsulE6/qdlX6MzDLIITLZqdgMpqo=",
+        "lastModified": 1743689281,
+        "narHash": "sha256-y7Hg5lwWhEOgflEHRfzSH96BOt26LaYfrYWzZ+VoVdg=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "929116e316068c7318c54eb4d827f7d9756d5e9c",
+        "rev": "2bfc080955153be0be56724be6fa5477b4eefabb",
        "type": "github"
      },
      "original": {
@ -37,7 +37,7 @@
    "root": {
      "inputs": {
        "flake-utils": "flake-utils",
-        "nixpkgsUnstable": "nixpkgsUnstable"
+        "nixpkgs": "nixpkgs"
      }
    },
    "systems": {
--- a/flake.nix
+++ b/flake.nix
@ -2,7 +2,7 @@
  description = "Constellation";

  inputs = {
-    nixpkgsUnstable = {
+    nixpkgs = {
      url = "github:NixOS/nixpkgs/nixpkgs-unstable";
    };
    flake-utils = {
@ -13,21 +13,29 @@
  outputs =
    {
      self,
-      nixpkgsUnstable,
+      nixpkgs,
      flake-utils,
    }:
    flake-utils.lib.eachDefaultSystem (
      system:
      let
-        pkgsUnstable = import nixpkgsUnstable { inherit system; };
+        pkgs = import nixpkgs {
+          inherit system;
+          config.allowUnfree = true;

-        callPackage = pkgsUnstable.callPackage;
+          overlays = [
+            (_final: prev: (import ./nix/packages { inherit (prev) lib callPackage; }))
+            (_final: prev: { lib = prev.lib // (import ./nix/lib { inherit (prev) lib callPackage; }); })
+          ];
+        };
+
+        callPackage = pkgs.callPackage;

        mkosiDev = (
-          pkgsUnstable.mkosi.overrideAttrs (oldAttrs: {
+          pkgs.mkosi.overrideAttrs (oldAttrs: {
            propagatedBuildInputs =
              oldAttrs.propagatedBuildInputs
-              ++ (with pkgsUnstable; [
+              ++ (with pkgs; [
                # package management
                dnf5
                rpm
@ -52,41 +60,48 @@
        );
      in
      {
+        # Use `legacyPackages` instead of `packages` for the reason explained here:
+        # https://github.com/NixOS/nixpkgs/blob/34def00657d7c45c51b0762eb5f5309689a909a5/flake.nix#L138-L156
+        # Note that it's *not* a legacy attribute.
+        legacyPackages = {
+          generate = pkgs.callPackage ./nix/generate.nix { };
+        } // pkgs;
+
        packages.mkosi = mkosiDev;

-        packages.uplosi = pkgsUnstable.uplosi;
+        packages.uplosi = pkgs.uplosi;

-        packages.openssl = callPackage ./nix/cc/openssl.nix { pkgs = pkgsUnstable; };
+        packages.openssl = callPackage ./nix/cc/openssl.nix { pkgs = pkgs; };

        packages.cryptsetup = callPackage ./nix/cc/cryptsetup.nix {
-          pkgs = pkgsUnstable;
-          pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; };
+          pkgs = pkgs;
+          pkgsLinux = import nixpkgs { system = "x86_64-linux"; };
        };

        packages.libvirt = callPackage ./nix/cc/libvirt.nix {
-          pkgs = pkgsUnstable;
-          pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; };
+          pkgs = pkgs;
+          pkgsLinux = import nixpkgs { system = "x86_64-linux"; };
        };

        packages.libvirtd_base = callPackage ./nix/container/libvirtd_base.nix {
-          pkgs = pkgsUnstable;
-          pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; };
+          pkgs = pkgs;
+          pkgsLinux = import nixpkgs { system = "x86_64-linux"; };
        };

        packages.vpn = callPackage ./nix/container/vpn/vpn.nix {
-          pkgs = pkgsUnstable;
-          pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; };
+          pkgs = pkgs;
+          pkgsLinux = import nixpkgs { system = "x86_64-linux"; };
        };

-        packages.awscli2 = pkgsUnstable.awscli2;
+        packages.awscli2 = pkgs.awscli2;

-        packages.createrepo_c = pkgsUnstable.createrepo_c;
+        packages.createrepo_c = pkgs.createrepo_c;

-        packages.dnf5 = pkgsUnstable.dnf5;
+        packages.dnf5 = pkgs.dnf5;

        devShells.default = callPackage ./nix/shells/default.nix { };

-        formatter = nixpkgsUnstable.legacyPackages.${system}.nixpkgs-fmt;
+        formatter = nixpkgs.legacyPackages.${system}.nixpkgs-fmt;
      }
    );
 }
--- a/nix/lib/by-name/constellationRepoRoot/package.nix
+++ b/nix/lib/by-name/constellationRepoRoot/package.nix
@ -0,0 +1,3 @@
+# Returns a reference to the root path of the Constellation repository.
+
+_: ../../../../.
--- a/nix/lib/by-name/constellationRepoRootSrc/package.nix
+++ b/nix/lib/by-name/constellationRepoRootSrc/package.nix
@ -0,0 +1,12 @@
+# Returns a package set originating from the root of the Constellation repository.
+# The `files` attribute is a list of paths relative to the root of the repository.
+
+{ lib }:
+files:
+let
+  filteredFiles = lib.map (subpath: lib.path.append lib.constellationRepoRoot subpath) files;
+in
+lib.fileset.toSource {
+  root = lib.constellationRepoRoot;
+  fileset = lib.fileset.unions filteredFiles;
+}
--- a/nix/lib/by-name/constellationVersion/package.nix
+++ b/nix/lib/by-name/constellationVersion/package.nix
@ -0,0 +1,3 @@
+# Returns the current Continuum version, as defined in `version.txt`.
+
+{ lib }: builtins.readFile (lib.path.append lib.constellationRepoRoot "version.txt")
--- a/nix/lib/default.nix
+++ b/nix/lib/default.nix
@ -0,0 +1,8 @@
+{
+  lib,
+  callPackage,
+}:
+lib.packagesFromDirectoryRecursive {
+  inherit callPackage;
+  directory = ./by-name;
+}
--- a/nix/packages/by-name/buildConstellationGoModule/package.nix
+++ b/nix/packages/by-name/buildConstellationGoModule/package.nix
@ -0,0 +1,26 @@
+# A 'wrapped' Go builder for Constellation, which doesn't require a `vendorHash` to be set in each package.
+# Instead, one central vendor hash is set here, and all packages inherit it.
+
+{
+  buildGo124Module,
+  constellation-canonical-go-package,
+}:
+args:
+(buildGo124Module (
+  {
+    # We run tests in CI, so don't run them at build time.
+    doCheck = false;
+
+    # Disable CGO by default.
+    env.CGO_ENABLED = "0";
+  }
+  // args
+)).overrideAttrs
+  (_oldAttrs: {
+    inherit (constellation-canonical-go-package)
+      goModules
+      vendorHash
+      proxyVendor
+      deleteVendor
+      ;
+  })
--- a/nix/packages/by-name/constellation-canonical-go-package/package.nix
+++ b/nix/packages/by-name/constellation-canonical-go-package/package.nix
@ -0,0 +1,19 @@
+{
+  lib,
+  buildGo124Module,
+}:
+buildGo124Module {
+  pname = "constellation-canonical-go-package";
+  version = lib.constellationVersion;
+
+  src = lib.constellationRepoRootSrc [
+    "go.mod"
+    "go.sum"
+  ];
+
+  vendorHash = "sha256-McWiTTz1HTdG3x0LI87CF6oTRFtxSiV3LCCBJb9YG4U=";
+
+  doCheck = false;
+
+  proxyVendor = true;
+}
--- a/nix/packages/default.nix
+++ b/nix/packages/default.nix
@ -0,0 +1,8 @@
+{
+  lib,
+  callPackage,
+}:
+lib.packagesFromDirectoryRecursive {
+  inherit callPackage;
+  directory = ./by-name;
+}